7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
0.008 Low
EPSS
Percentile
82.2%
Multiple vulnerabilities have been identified in the Optim E-Business Console making the product vulnerable to phishing attacks, the interception of credentials and the bypass of login entirely.
VULNERABILITY DETAILS:
CVE ID: CVE-2013-2953
**DESCRIPTION:**Use of MD5 as SSL Certificate Signature Algorithm โ
The signature algorithm used to sign the certificate used for secure communication is MD5. The signature algorithm is obsolete and using it may allow elaborate phishing attacks.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83662 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
CVE ID: CVE-2013-2954
**DESCRIPTION:**Inadequate Account Lockout โ The Optim for E-Business Console login page is not restricting users after repeatedly entering incorrect login credentials.
CVSS:
CVSS Base Score: 4.4
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83663 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:L/AC:M/AU:S/C:C/I:N/A:N)
CVE ID: CVE-2013-2955
**DESCRIPTION:**Stored Cross-Site Scripting - inserting a mal-formed URL address into their browser or clicking on a mal-formed URL link could allow an attacker to collect sensitive data.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83664 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
AFFECTED PRODUCTS:
Versions 6.0 through 9.1 of IBM InfoSphere Optim Data Growth for Oracle E-Business Suite are affected.
CVE ID: CVE-2013-2956
**DESCRIPTION:**Authentication Bypass Using SQL Injection - When logging into the Optim E-Business Console authentication can be bypassed using SQL injection. An exploit will not impact accessibility of system resources but both the confidentiality of information and the integrity of data could be compromised.
CVSS:
CVSS Base Score: 7.5
CVSS Temporal Score: See https://exchange.xforce.ibmcloud.com/vulnerabilities/83665 for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:P/A:P)
CVE ID: CVE-2013-2957
DESCRIPTION: Cross-Site Scripting - inserting a mal-formed URL address into their browser or clicking on a mal-formed URL link could allow an attacker to collect sensitive data.
CVSS:
CVSS Base Score: 3.5
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83666> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:M/AU:S/C:N/I:P/A:N)
CVE ID: CVE-2013-2959
DESCRIPTION: Unencrypted Login Request - Credentials used for logging into the Optim E-Business Console are not encrypted and are thus subject to compromise. Exploitation requires local network access and the use of specialized knowledge and techniques. An exploit will not impact accessibility of system resources but both the confidentiality of information and the integrity of data could be compromised.
CVSS:
CVSS Base Score: 5.0
CVSS Temporal Score: See <https://exchange.xforce.ibmcloud.com/vulnerabilities/83668> for the current score
CVSS Environmental Score*: Undefined
CVSS Vector: (AV:N/AC:L/AU:N/C:P/I:N/A:N)
AFFECTED PRODUCTS:
Versions 6.0 through 9.1 of IBM InfoSphere Optim Data Growth for Oracle E-Business Suite are affected.
**REMEDIATION:**The recommended solution is to apply Fix Pack 9.1.0.3 as soon as possible.
Fix(es):
For version 9.1:
- Apply Fix Pack 9.1.0.3
For other versions contact technical support for assistance.
Workaround(s):
None known
Mitigation(s):
None known
REFERENCES:
ยท Complete CVSS Guide_ _
ยท On-line Calculator V2_ _
ยท X-Force Vulnerability Database
ยท CVE-2013-2953_ _
ยท CVE-2013-2954
ยท CVE-2013-2955
ยท CVE-2013-2956
ยท CVE-2013-2957
ยท CVE-2013-2959
CHANGE HISTORY:
13-May-2013: Original version published
_*The CVSS Environment Score is customer environment specific and will ultimately impact the Overall CVSS Score. Customers can evaluate the impact of this vulnerability in their environments by accessing the links in the Reference section of this Flash. _
_Note: _According to the Forum of Incident Response and Security Teams (FIRST), the Common Vulnerability Scoring System (CVSS) is an โindustry open standard designed to convey vulnerability severity and help to determine urgency and priority of response.โ IBM PROVIDES THE CVSS SCORES โAS ISโ WITHOUT WARRANTY OF ANY KIND, INCLUDING THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. CUSTOMERS ARE RESPONSIBLE FOR ASSESSING THE IMPACT OF ANY ACTUAL OR POTENTIAL SECURITY VULNERABILITY.
[{โProductโ:{โcodeโ:โSSMLQ4โ,โlabelโ:โIBM InfoSphere Optim Test Data Management Solutionโ},โBusiness Unitโ:{โcodeโ:โBU059โ,โlabelโ:โIBM Software w/o TPSโ},โComponentโ:โData Growth Solution for Oracle E-business Suiteโ,โPlatformโ:[{โcodeโ:โPF002โ,โlabelโ:โAIXโ},{โcodeโ:โPF010โ,โlabelโ:โHP-UXโ},{โcodeโ:โPF016โ,โlabelโ:โLinuxโ},{โcodeโ:โPF027โ,โlabelโ:โSolarisโ},{โcodeโ:โPF033โ,โlabelโ:โWindowsโ}],โVersionโ:โ9.1;7.1.2;7.1.1;7.1.0;6.1;6.0โ,โEditionโ:โโ,โLine of Businessโ:{โcodeโ:โLOB10โ,โlabelโ:โData and AIโ}}]